opnsense / core

OPNsense GUI, API and systems backend
https://opnsense.org/
BSD 2-Clause "Simplified" License
3.34k stars 749 forks source link

OpenVPN revoked certificates can connect #7935

Open Krustak opened 1 month ago

Krustak commented 1 month ago

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Describe the bug

Hello,

Im using Open VPN on OPNSense in configuration that doesnt need user name or password, so Im only validating users by certificate created by my OPNSense CA. I have CRL and I have it configured in Open VPN server as Certificate Revocation List. When I edit CRL and add any of my certificates I can still connect using this ovpn file with revoked certificate.

thank you

Expected behavior

Once certificate is revoked, OpenVPN should not allow connection with it.

Screenshots

Screenshot_1 Screenshot_3

Environment

Software version used and hardware type if relevant, e.g.:

OPNsense 24.7.5_3 (amd64).

AdSchellevis commented 1 month ago

openvpn (like a lot of other services) don't instantly reload CRL's, restart the affected service and you should be fine.

Krustak commented 1 month ago

Is it possible to add "Restart OpenVPN service" to CRON commands? It seems its not there like for example IPSec service and Wireguard service

thank you

PS: I have restarted openvpn services (all) and I can still connect with revoked certificate

Krustak commented 1 month ago

hello, correction, it started working once I rebooted whole machine. So i created cronjob to reboot OPNSense at night to apply all CRLs